Postfix: SSL_accept: error in before SSL initialization

follet · February 12, 2025, 2:48pm

Hello, help me please solve mail issue. See all information below:

The operating system my web server runs on is (include version): Raspberry Pi OS Debian GNU/Linux 12 (Linux 6.6.74+rpt-rpi-v8)

My hosting provider, if applicable, is: Local ISP Lanet. I contacted them and got answer that they doesn't block 25 port.

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No, I use SSH myself.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

I have mail server Postfix 3.7.11 + Dovecot 2.3.19.1. I opened all necessary ports on my router. I set up Thunderbird client and I can send message to Gmail. I added A, MX, DMARK, DKIM, SPF DNS records on Cloudfare.

Unfortunately, I can't receive mail from Gmail.
My Postfix logs:

Feb 12 16:04:10 mail postfix/smtpd[207040]: connect from mail-ed1-f41.google.com[209.85.208.41]
Feb 12 16:04:10 mail postfix/smtpd[207040]: setting up TLS connection from mail-ed1-f41.google.com[209.85.208.41]
Feb 12 16:04:10 mail postfix/smtpd[207040]: mail-ed1-f41.google.com[209.85.208.41]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Feb 12 16:04:10 mail postfix/smtpd[207040]: SSL_accept:before SSL initialization
Feb 12 16:05:18 mail postfix/smtpd[208116]: SSL_accept:error in before SSL initialization

As I understood, my settings are correct, but maybe it cause of misunderstanding what is certificate use? In this case, I use mail.ostrich.kyiv.ua certificate.

After 12 hours I got message back:

The recipient server did not accept our requests to connect. For more information, go to support page [mydomainname, myip: unable to read banner]

My config file has banner settings:

smtpd_banner = $myhostname ESMTP $mail_name
myhostname = mail.ostrich.kyiv.ua

So I ask this community because I have two domains:

ostrich.kyiv.ua - for my web server and it is ma
mail.ostrich.kyiv.ua - I set up this domain for mail server and issued for it additional certificate to cover subdomain *.ostrich.kyiv.ua

in this case, like example:

/etc/letsencrypt/live/ostrich.kyiv.ua-0001/fullchain.pem - for mail.ostrich.kyiv.ua
/etc/letsencrypt/live/ostrich.kyiv.ua/fullchain.pem for ostrich.kyiv.ua (not use for mail)

Any suggestions how to fix it?

/etc/postfix/main.cf

myorigin = /etc/mailname

myhostname = mail.ostrich.kyiv.ua
mydomain = ostrich.kyiv.ua

smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 3.6

smtpd_tls_cert_file = /etc/letsencrypt/live/ostrich.kyiv.ua-0001/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/ostrich.kyiv.ua-0001/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_received_header = yes
smtpd_tls_wrappermode = yes
smtpd_tls_loglevel = 2
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_eecdh_grade = strong
smtpd_use_tls = yes

smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_mandatory_protocols = >=TLSv1.2

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated
defer_unauth_destination

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination

mydestination = ostrich.kyiv.ua, mail.ostrich.kyiv.ua, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
maillog_file = /var/log/mail.log
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

/etc/postfix/master.cf

smtp inet n - y - - smtpd
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 defer
trace unix - - y - 0 trace
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}

/etc/dovecot/dovecot.conf

!include_try /usr/share/dovecot/protocols.d/.protocol
!include conf.d/.conf
!include_try local.conf
log_path = /var/log/dovecot.log
auth_verbose = yes
protocols = imap lmtp

/etc/dovecot/conf.d/10-ssl.conf

ssl = required
ssl_cert = </etc/letsencrypt/live/ostrich.kyiv.ua-0001/fullchain.pem
ssl_key = </etc/letsencrypt/live/ostrich.kyiv.ua-0001/privkey.pem
ssl_ca = </etc/letsencrypt/live/ostrich.kyiv.ua-0001/chain.pem
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = </usr/share/dovecot/dh.pem

/etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = yes
auth_username_format = %n
auth_mechanisms = plain login
!include auth-system.conf.ext

/etc/dovecot/conf.d/10-master.conf

service imap-login {
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3s {
port = 995
ssl = yes
}
}
service submission-login {
inet_listener submission {
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
}

9peppe · February 12, 2025, 3:21pm

That's true:

% nmap -sV -p 25,465,587 mail.ostrich.kyiv.ua
Starting Nmap 7.92 ( https://nmap.org ) at 2025-02-12 16:13 CET
Nmap scan report for mail.ostrich.kyiv.ua (176.37.183.122)
Host is up (0.033s latency).
rDNS record for 176.37.183.122: host-176-37-183-122.b025.la.net.ua

PORT    STATE SERVICE  VERSION
25/tcp  open  ssl/smtp Postfix smtpd
465/tcp open  ssl/smtp Postfix smtpd
587/tcp open  smtp     Postfix smtpd
Service Info: Host:  mail.ostrich.kyiv.ua

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.63 seconds

The issue is funnier, on port 25 I expect starttls, not smtp over tls

follet · February 12, 2025, 6:49pm

Unbelievable! I changed configuration (see below).
Tell me please, need I use all of these ports? I mean 25, 465, 587 and 993.

Now I see next result:

PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
465/tcp open ssl/smtp Postfix smtpd
587/tcp open smtp Postfix smtpd

So, what about port 587? Need I close it to be more secure )))
Or give me additional suggestions for securing mail.

Thank you a lot! You helped me!

follet · February 12, 2025, 6:54pm

/etc/postfix/main.cf

smtpd_tls_cert_file = /etc/letsencrypt/live/ostrich.kyiv.ua-0001/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/ostrich.kyiv.ua-0001/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtpd_tls_received_header=yes
smtpd_tls_wrappermode = no
smtpd_tls_loglevel = 2
smtpd_tls_protocols = >=TLSv1.2
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_eecdh_grade=strong
smtpd_tls_received_header = yes

/etc/postfix/master.cf

smtp inet n - y - - smtpd
-o smtpd_tls_security_level=may
-o smtpd_tls_cert_file=/etc/letsencrypt/live/ostrich.kyiv.ua-0001/fullchain.pem
-o smtpd_tls_key_file=/etc/letsencrypt/live/ostrich.kyiv.ua-0001/privkey.pem

9peppe · February 12, 2025, 6:57pm

The number of postfix ports you expose has little bearing on how secure it is. You should force starttls on port 25 (and 587).

In theory 25 is for server to server, and 587 for client to server (same protocol, different roles), starttls. While 465 uses TLS more traditionally. In practice there's not much difference. Email is confusing.

993 should be dovecot.

Adding: Mozilla SSL Configuration Generator

follet · February 13, 2025, 10:03am

Thank you. I closed port 587 and comment all submission settings in Postfix configuration. I leave open 25, 465 and 993 ports. The mail still works

system · March 15, 2025, 10:04am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Client mail ne trouve pas le serveur postfix avec le port 587 Help	6	555	April 15, 2021
Postfix-sent emails showing as unsecured when TLS is enabled Help	24	3992	June 20, 2020
Postfix: Server certificate not verified (Gmail, GMX, Yahoo)	10	11192	March 31, 2016
Can't send email to mail server	17	5519	March 22, 2016
Lets encrypt SSL mail certificate problem with Gmail webmail Server	7	17637	January 19, 2018

Postfix: SSL_accept: error in before SSL initialization

Related topics